[jira] [Created] (GEODE-10448) CVE-2022-42889 Apache Commons Text security vulnerability in Apache Geode

[Eli (Jira)]

Eli created GEODE-10448:
---------------------------

             Summary: CVE-2022-42889 Apache Commons Text security vulnerability 
in Apache Geode
                 Key: GEODE-10448
                 URL: https://issues.apache.org/jira/browse/GEODE-10448
             Project: Geode
          Issue Type: Bug
          Components: pulse, tools
    Affects Versions: 1.15.1
            Reporter: Eli


I have encountered the security vulnerability 
[CVE-2022-42889|https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om]
 related to Apache Commons Text. It is mentioned that the mitigation is to 
"Upgrade to [Apache Commons Text 
1.10.0|https://commons.apache.org/proper/commons-text/download_text.cgi]."; 
because the following jar files are present.

<GEODE_HOME>/locator01/GemFire_gemfire/services/http/0.0.0.0_7070_pulse_xxxxxxxx/webapp/WEB-INF/lib/commons-text-1.9.jar
 
<GEODE_HOME>/locator01/GemFire_root/services/http/0.0.0.0_7070_pulse_xxxxxxxx/webapp/WEB-INF/lib/commons-text-1.9.jar

The latest official [Apache Geode version 
1.15.1|[https://apache.org/dyn/closer.cgi/geode/1.15.1/apache-geode-1.15.1.tgz|https://urldefense.com/v3/__https:/apache.org/dyn/closer.cgi/geode/1.15.1/apache-geode-1.15.1.tgz__;!!OrxsNty6D4my!7476fkBhS9dRAajU_LNsgk5KeehflkDwT1rsdOg5_lmW9F-rnt-zPr7K5J66Ylc8jzr9eR10QsOBYlTmJR0Y8tDl8ik$]]
 has the vulnerable file commons-text-1.9.jar, which falls under the affected 
range “version 1.5 and continuing through 1.9”. Inside the folder 
<GEODE_HOME>/tools/Pulse, there is the file geode-pulse-1.15.1.war. Inside that 
war file, there is the file 
geode-pulse-1.15.1.war/WEB-INF/lib/commons-text-1.9.jar.

As a temporary workaround, I replaced the file commons-text-1.9.jar with 
commons-text-1.10.0.jar, updated the MANIFEST.MF file under 
geode-pulse-1.15.1.war/META-INF, and created a new geode-pulse-1.15.1.war file 
including the 2 updated files mentioned.

Unfortunately, I’m not a developer. I’m not familiar with Github, so as much as 
I would like to help in contributing in the code, there is a more appropriate 
person to perform the update to commons-text 1.10.0. I have sent a mail to ASF 
Security Team, and I was given this 
[link|[https://github.com/apache/geode/blob/master/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy#L144|https://urldefense.com/v3/__https:/github.com/apache/geode/blob/master/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy*L144__;Iw!!OrxsNty6D4my!6EKoN5DUPbSrn9BPavV5jC0T1h5U4Ih1aqdG5cHGJt2a0fqw2jCVoWL4Nl1lCC4hkzC3buVr9YC30Y_jxCSk43yE-FU$]]
 that shows the dependency on the vulnerable commons-text version 1.9.

Can somebody assist in fixing this security vulnerability? Thank you in advance!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)